Hello everyone,
I believe this post will finally provide a definitive answer to this thread. Here goes.
While blocking these bogus top level domains is a good way to catch more spam it should not be thought of as an end-all be-all. By far the 2 best ways to block spam are making sure that you are using real-time blacklists and strict rDNS checking.
Once you have those 2 in place if you don't already, the best solution that works like a charm for blocking TLD's does involve editing the exim.conf on the backend. There are 2 schools of thought on this. One is open up a ticket and demand that Sophos make the modification for you since they broke it and have not offered a fix for years now. The other is well, not recommended.
Credit for this solution goes to Billy Bob and it is already in the thread here:
Modify the exim.conf file to workaround the problem but keep in mind it will break your support and may break other things if you are using profiles
Modify the exim.conf file to workaround the problem but keep in mind it will break your support and may break other things if you are using profiles
After some help from Bob and Remuflon, these are my notes on the solution (to provide to Sophos Support of course):
If you're using high-availability then you will have to do it on all nodes.
As far as I can tell it will survive reboot and probably most updates.
The result is that the messages are bounced telling the sender they are blacklisted.
You can add more TLD's as required on web admin side later without breaking the solution.
So first go to web admin and add the domains under Sender Blacklist, Blacklisted Address Patterns on the Anti-Spam tab under Email Protection, SMTP. This will update this file: /var/storage/chroot-smtp/etc/exim.conf.senderblacklist/REF_SMTPGlobalProfile
These are the TLD's I have pulled from the log files that I'm currently using (cut-and-paste freely):
*@*.link
*@*.xyz
*@*.click
*@*.pro
*@*.top
*@*.science
*@*.download
*@*.date
*@*.design
*@*.stream
*@*.gdn
*@*.men
*@*.win
*@*.party
*@*.webcam
*@*.link
*@*.xyz
*@*.click
*@*.pro
*@*.top
*@*.science
*@*.download
*@*.date
*@*.design
*@*.stream
*@*.gdn
*@*.men
*@*.win
*@*.party
*@*.webcam
Next, log into the backend as loginuser and then elevate to root using "su -" without the quotes of course.
So as to leave yourself a backup plan if something goes wrong first make a backup copy of exim.conf by entering:
cp /var/storage/chroot-smtp/etc/exim.conf /var/storage/chroot-smtp/etc/exim.conf.original
cp /var/storage/chroot-smtp/etc/exim.conf /var/storage/chroot-smtp/etc/exim.conf.original
Then edit the exim.conf file using your choice of editor (choices are Joe for the average Joe, or VI for pros and masochists):
joe -help /var/storage/chroot-smtp/etc/exim.conf
joe -help /var/storage/chroot-smtp/etc/exim.conf
or
vi /var/storage/chroot-smtp/etc/exim.conf
In either editor search for "SENDERBLACKLIST" without the quotes of course. The line you want to comment is line 364.
Comment this line:
# senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
# senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
Add this line directly below it:
senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
The section should now look like this:
# Sender blacklist
drop message = Access denied (sender blacklisted)
domains = +domains
# senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
set acl_c0 = sender_blacklist
set acl_c1 = $sender_address blacklisted
condition = INSERT_REJECT
logwrite = LOG_RCPT_REJECT
# Sender blacklist
drop message = Access denied (sender blacklisted)
domains = +domains
# senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
set acl_c0 = sender_blacklist
set acl_c1 = $sender_address blacklisted
condition = INSERT_REJECT
logwrite = LOG_RCPT_REJECT
NOTE: You can also edit the response the spammer receives to something more interesting by changing the part after the = sign in the "drop message" line. 
Save the file and restart the SMTP proxy using:
/var/mdw/scripts/smtp restart
/var/mdw/scripts/smtp restart
At this point it just works in one second flat and here's the proof:
2017:01:31-19:55:42 cloud-utm1-1 exim-in[9489]: 2017-01-31 19:55:42 SMTP connection from [192.188.88.232]:35431 (TCP/IP connection count = 1)
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domaim.com profile excludes greylisting: Skipping greylisting for this message
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domain.com profile excludes SANDBOX scan
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.188.88.232" from="NewCarQuotes@sloy.party" to="user@domain.com" size="-1" reason="sender_blacklist" extra="NewCarQuotes@sloy.party blacklisted"
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 F=<NewCarQuotes@sloy.party> rejected RCPT <user@domain.com>: Access denied (sender blacklisted)
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 SMTP connection from (0f9efdc7.sloy.party) [192.188.88.232]:35431 closed by DROP in ACL
2017:01:31-19:55:42 cloud-utm1-1 exim-in[9489]: 2017-01-31 19:55:42 SMTP connection from [192.188.88.232]:35431 (TCP/IP connection count = 1)
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domaim.com profile excludes greylisting: Skipping greylisting for this message
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domain.com profile excludes SANDBOX scan
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.188.88.232" from="NewCarQuotes@sloy.party" to="user@domain.com" size="-1" reason="sender_blacklist" extra="NewCarQuotes@sloy.party blacklisted"
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 F=<NewCarQuotes@sloy.party> rejected RCPT <user@domain.com>: Access denied (sender blacklisted)
2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 SMTP connection from (0f9efdc7.sloy.party) [192.188.88.232]:35431 closed by DROP in ACL
While that is truly the best solution, if you can get Sophos to do it for you; there is another way I came up with that will not void the warranty.
It is far less than ideal but it is the only solution that does not involve modifying the config files via SSH.
Here it is:
First set up individual local user accounts (I imagine AD or LDAP accounts should still work if you have them) on the Users tab under Definitions & Users, Users & Groups. When creating the user accounts be sure to add all email addresses that you want associated with that user if they have more than one because this solution will only work for listed email addresses.
Next, while still editing the user account go to Advanced User Settings and add the following list under Sender Blacklist. These are the ones I'm currently using but obviously when the spammers start using a new top level domain to further evade detection you will have to add it to each individual account.
*@*.link
*@*.xyz
*@*.click
*@*.pro
*@*.top
*@*.science
*@*.download
*@*.date
*@*.design
*@*.stream
*@*.gdn
*@*.men
*@*.win
*@*.party
*@*.webcam
*@*.xyz
*@*.click
*@*.pro
*@*.top
*@*.science
*@*.download
*@*.date
*@*.design
*@*.stream
*@*.gdn
*@*.men
*@*.win
*@*.party
*@*.webcam
Sadly not only does the solution require this be done for each individual account but also, it only forces the spam email to quarantine and doesn't just flat out bounce it like it should. Users will start to see these spams in their quarantine but they should be used to it anyway.
The solution works fine however and it catches 100% of all spam from the TLD's specified.
Obviously the caveats with either solution are that no legitimate mail can come from any of these top level domains and that you can not use it for common TLD's like .com, .net, .us, etc. That being said, I find it highly unlikely that there are many, if any, legitimate emails coming from these top level domains so in the end it works out okay.
One last thing. There is an open feature request on this. Please take the time to go there and add your votes and comments. Here is that URL:
Ability to block any subdomain in the Blacklisted address patterns
Ability to block any subdomain in the Blacklisted address patterns
No comments:
Post a Comment